Firefox tab pops

Status
Not open for further replies.
> msvcrt.dll: _vsnwprintf, wcslen, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, __set_app_type, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlCreateSecurityDescriptor, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtOpenDirectoryObject, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlInitString, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtSetInformationProcess
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, LsaCallAuthenticationPackage
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, KillTimer, GetMessageTime, SetLogonNotifyWindow, UnlockWindowStation, SetTimer, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, SetCursor, DefWindowProcW, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, RegisterClassW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, GetUserProfileDirectoryW, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, -
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon, _WinStationNotifyLogoff
> WINTRUST.dll: CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, getaddrinfo, -

( 0 exports )
 
Ok, i guess it is fine.

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
sorry if it took a while. the kaspersky scan took hours.

attached is the result. it was revealing.

i guess i should delete the infected files right away, or no?
 
That is the problem with downloading programs from undocumented, unsigned sources. However, it looks like it is just the installers that need removed. Instead of going through manually just do this.

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\Documents and Settings\Jay Garcia\Desktop\Program Installers\devhook_ultimate_installer_v1091.exe
C:\Documents and Settings\Jay Garcia\Desktop\Program Installers\mirc616.exe
C:\Documents and Settings\Jay Garcia\Desktop\Program Installers\va21.exe

Folder::
C:\Documents and Settings\Jay Garcia\Desktop\Program Installers\0--USED--0\Alcohol_1_.120.v1.9.7.6022
C:\Documents and Settings\Jay Garcia\Desktop\Program Installers\0--USED--0\DivX Pro 6.8.2.9 FULL + Crack + Serial
C:\Documents and Settings\Jay Garcia\Desktop\Program Installers\0--USED--0\Nero 8.4.0.0 Ultra Edition Pre-Release

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
Also when you launch firefox click Tools -> options -> content tab -> make sure block popups is checked. Then you can always add exceptions when you need them
 
so i don't need to do the cfscript thing anymore?

here's the hijackthis i did just now.

windows update is alerting me for new updates, i haven't downloaded and applied it yet thinking it might affect something. just tell me if it's safe to do so.

also, my norton internet phising protection seems to be not working since combofix. can it be fixed?

lastly, when i scan with spyware doctor it detects files associated with combofix (ifo or puf files or something), so far i haven't done anything about it coz i guess it is needed. i just thought to inform you.
 
The found updates is a good sign, but good thinking to wait on those by you.

Norton should start working after we uninstall, as well as reset clock ect.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

OTCleanit! by Oldtimer
  • Download OTCleanIt
  • Click the CleanUp! button.
    • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).
 
norton is still not working though.

when i uninstalled the combofix. a popup appeared it says it didnt find "\blahblah\cmd.exe"
 
perfect. I think that clears things up. Let me go back to the log I remember seeing some entries that were indirectly related.
 
Let's have a look at the suggested registry key from NirCmd

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\swearware"
type peek1.txt >> look.txt
del peek*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this on your desktop:
batgif.jpg


Doubleclick look.bat
Notepad will open with some txt in it. Copy and paste the contents in your next reply.
 
That is just out of curiosity, I think it is a false positive.

I also want to know if you have a current subscription with Norton

I need you to manually delete the following folders
C:\qoobox
C:\ComboFix
 
i do have a current subscription in norton. my norton is licensed and original, not cracked.

i do not find the folders in C:\
 
I think we should uninstall/re-install norton then.

I am 99% sure that is a false positive by spyware doctor

Do you still have the original problem with the popup in firefox?
 
i'm already sending the email with look.txt
i also found a file named Bug.txt in C:\, it might be nothing but i sent it in the email too.

i will reinstall norton. and will update you when it's done.

in spyware doctor, it said that:

Application.NirCmd is a legitimate application,
the threat level is Info_PUAs,
description: A legitimate application.Under certain circumstances,howver,some people might find it undesirable.

but i don't experience the firefox popups anymore... =D

does this mean that everything went well? and how can i protect my comp from further infections etc.?

thanx for everything
 
I will post back in a little while with how we can tighten up security a bit.

Just wanted to check a few more things in the logs
 
Status
Not open for further replies.
Back